What can an attacker with root access on a GKE node do on the network?
Let’s say that an attacker, through some chain of exploits, manages to get root on a Kubernetes node. Can they disable network policies on that node? I know that to a large extent this depends on the underlying networking implementation/CNI, so for concreteness I am particularly interested in GKE. My understanding is that network policies effectively translate into iptables rules on the node, so my expectation is that an attacker with root on the node could in fact disable those rules for that particular node. Is this true? Obviously, network policies in effect on other nodes would still apply, as would any network-level firewalls etc.
At a lower level, within a GCP VPC each node is effectively in its own broadcast/collision domain, so even if the attacker could put the NIC into promiscuous mode (is this even a thing in a VPC?), they are limited in what traffic they could observe. But can such a root attacker change this? Can they simply change the netmask, or is this effectively fixed by the software-defined networking?
